Securing Debian Manual
Total Page:16
File Type:pdf, Size:1020Kb
Securing Debian Manual Javier Fernández-Sanguino Peña <[email protected]> ‘Authors’ on this page Version: 3.16, built on Sun, 08 Apr 2012 02:48:09 +0000 Abstract This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribu- tion installation, it also covers some of the common tasks to set up a secure network environ- ment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. Copyright Notice Copyright © 2002-2013 Javier Fernández-Sanguino Peña Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright © 2000 Alexander Reelsen Some sections are copyright © their respective authors, for details please refer to ‘Credits and thanks!’ on page 29. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 (http://www.gnu.org/licenses/ old-licenses/gpl-2.0.html) or any later version (http://www.gnu.org/copyleft/ gpl.html) published by the Free Software Foundation. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. Permission is granted to make and distribute verbatim copies of this document provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this document into another lan- guage, under the above conditions for modified versions, except that this permission notice may be included in translations approved by the Free Software Foundation instead of in the original English. i Contents 1 Introduction 1 1.1 Authors...........................................1 1.2 Where to get the manual (and available formats)...................2 1.3 Organizational notes/feedback.............................3 1.4 Prior knowledge......................................3 1.5 Things that need to be written (FIXME/TODO)....................3 1.6 Changelog/History....................................6 1.6.1 Version 3.16 (January 2013)...........................6 1.6.2 Version 3.15 (December 2010)..........................7 1.6.3 Version 3.14 (March 2009)............................7 1.6.4 Version 3.13 (Februrary 2008)..........................7 1.6.5 Version 3.12 (August 2007)...........................8 1.6.6 Version 3.11 (January 2007)...........................8 1.6.7 Version 3.10 (November 2006)..........................9 1.6.8 Version 3.9 (October 2006)............................9 1.6.9 Version 3.8 (July 2006).............................. 10 1.6.10 Version 3.7 (April 2006)............................. 10 1.6.11 Version 3.6 (March 2006)............................. 10 1.6.12 Version 3.5 (November 2005).......................... 11 1.6.13 Version 3.4 (August-September 2005)..................... 12 1.6.14 Version 3.3 (June 2005).............................. 12 1.6.15 Version 3.2 (March 2005)............................. 12 1.6.16 Version 3.1 (January 2005)............................ 13 CONTENTS ii 1.6.17 Version 3.0 (December 2004)........................... 13 1.6.18 Version 2.99 (March 2004)............................ 14 1.6.19 Version 2.98 (December 2003).......................... 14 1.6.20 Version 2.97 (September 2003).......................... 15 1.6.21 Version 2.96 (August 2003)........................... 15 1.6.22 Version 2.95 (June 2003)............................. 15 1.6.23 Version 2.94 (April 2003)............................. 16 1.6.24 Version 2.93 (March 2003)............................ 16 1.6.25 Version 2.92 (February 2003).......................... 16 1.6.26 Version 2.91 (January/February 2003)..................... 16 1.6.27 Version 2.9 (December 2002)........................... 17 1.6.28 Version 2.8 (November 2002).......................... 17 1.6.29 Version 2.7 (October 2002)............................ 18 1.6.30 Version 2.6 (September 2002).......................... 18 1.6.31 Version 2.5 (September 2002).......................... 18 1.6.32 Version 2.5 (August 2002)............................ 18 1.6.33 Version 2.4..................................... 22 1.6.34 Version 2.3..................................... 22 1.6.35 Version 2.3..................................... 22 1.6.36 Version 2.2..................................... 23 1.6.37 Version 2.1..................................... 23 1.6.38 Version 2.0..................................... 23 1.6.39 Version 1.99.................................... 25 1.6.40 Version 1.98.................................... 25 1.6.41 Version 1.97.................................... 25 1.6.42 Version 1.96.................................... 25 1.6.43 Version 1.95.................................... 26 1.6.44 Version 1.94.................................... 26 1.6.45 Version 1.93.................................... 26 1.6.46 Version 1.92.................................... 26 1.6.47 Version 1.91.................................... 26 CONTENTS iii 1.6.48 Version 1.9..................................... 27 1.6.49 Version 1.8..................................... 27 1.6.50 Version 1.7..................................... 27 1.6.51 Version 1.6..................................... 28 1.6.52 Version 1.5..................................... 28 1.6.53 Version 1.4..................................... 28 1.6.54 Version 1.3..................................... 29 1.6.55 Version 1.2..................................... 29 1.6.56 Version 1.1..................................... 29 1.6.57 Version 1.0..................................... 29 1.7 Credits and thanks!.................................... 29 2 Before you begin 31 2.1 What do you want this system for?........................... 31 2.2 Be aware of general security problems......................... 31 2.3 How does Debian handle security?........................... 34 3 Before and during the installation 35 3.1 Choose a BIOS password................................. 35 3.2 Partitioning the system.................................. 35 3.2.1 Choose an intelligent partition scheme.................... 35 3.3 Do not plug to the Internet until ready......................... 37 3.4 Set a root password.................................... 38 3.5 Activate shadow passwords and MD5 passwords.................. 38 3.6 Run the minimum number of services required.................... 38 3.6.1 Disabling daemon services........................... 39 3.6.2 Disabling inetd or its services......................... 41 3.7 Install the minimum amount of software required.................. 41 3.7.1 Removing Perl.................................. 43 3.8 Read the Debian security mailing lists......................... 45 CONTENTS iv 4 After installation 47 4.1 Subscribe to the Debian Security Announce mailing list............... 47 4.2 Execute a security update................................ 48 4.2.1 Security update of libraries........................... 49 4.2.2 Security update of the kernel.......................... 49 4.3 Change the BIOS (again)................................. 51 4.4 Set a LILO or GRUB password............................. 51 4.5 Disable root prompt on the initramfs.......................... 52 4.6 Remove root prompt on the kernel........................... 52 4.7 Restricting console login access............................. 53 4.8 Restricting system reboots through the console.................... 54 4.9 Restricting the use of the Magic SysRq key...................... 55 4.10 Mounting partitions the right way........................... 55 4.10.1 Setting /tmp noexec............................... 57 4.10.2 Setting /usr read-only.............................. 57 4.11 Providing secure user access............................... 57 4.11.1 User authentication: PAM............................ 57 4.11.2 Limiting resource usage: the limits.conf file............... 61 4.11.3 User login actions: edit /etc/login.defs ................. 63 4.11.4 User login actions: edit /etc/pam.d/login ................ 64 4.11.5 Restricting ftp: editing /etc/ftpusers ................... 65 4.11.6 Using su...................................... 65 4.11.7 Using sudo.................................... 66 4.11.8 Disallow remote administrative access..................... 66 4.11.9 Restricting users’s access............................ 66 4.11.10 User auditing................................... 67 4.11.11 Reviewing user profiles............................. 69 4.11.12 Setting users umasks............................... 69 4.11.13 Limiting what users can see/access...................... 70 4.11.14 Generating user passwords........................... 71 4.11.15 Checking user passwords............................ 72 CONTENTS v 4.11.16 Logging off idle users.............................. 72 4.12 Using tcpwrappers.................................... 73 4.13 The importance of logs and alerts............................ 74 4.13.1 Using and customizing logcheck ....................... 75 4.13.2 Configuring where alerts are sent....................... 76 4.13.3 Using a loghost.................................. 76 4.13.4 Log file permissions............................... 77 4.14 Adding kernel patches.................................. 77